AmpliFi DNS server strips RFC1918 results in replies to clients

  • I'm disappointed in how the AmpliFi handles DNS overall. You can't modify the servers that the AmpliFi hands the clients (it always hands itself back as the DNS server), and if you happen to be using an external DNS server to map names to internal IPs for your network, the AmpliFi router will happily strip those results from your query as well. It makes no sense why this behavior exists, but it's a big bug. Either the local DNS server needs to be fixed or an option needs to be provided to override it and hand other DNS servers to the clients via DHCP.

    Good result via GPDNS:

    $ dig @

    ; <<>> DiG 9.8.3-P1 <<>> @
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48130
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ; IN A

    ;; ANSWER SECTION: 3404 IN A

    ;; Query time: 48 msec
    ;; SERVER:
    ;; WHEN: Tue Jan 9 14:59:39 2018
    ;; MSG SIZE rcvd: 49

    Bad result via AmpliFi:

    $ dig @

    ; <<>> DiG 9.8.3-P1 <<>> @
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36677
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ; IN A

    ;; Query time: 57 msec
    ;; SERVER:
    ;; WHEN: Tue Jan 9 14:56:24 2018
    ;; MSG SIZE rcvd: 33

    I already have a support case open on this, but I've thus far been disappointed at the inability to actually understand the problem here. Coming to the point where I hope I can still return this if need be.

  • Hi!

    This is a well known problem. We strip out private addresses from results because of security considerations (google: rebinding attack). This is fine for 99% of customers. But 1% is not happy - they use DNS for local addresses of some kind. We receive more and more requests to make it tunable. We will implement a GUI option to disable this security feature.

  • @dmitrijs-ivanovs Will this be coming soon? If I at least had the option of overriding the router as DNS server, it would not be an issue. It leaves me no way to use internal DNS unless I run my own DNS server and setup every device on a static IP, which is unmanageable. I can wait a reasonable amount of time (say 1 - 3 months). Outside if that, I'd rather just move on to another solution. I'm looking for something that eases my frustration, which is why I went here, not something that increases it.

  • I currently run my own internal DNS, although I was doing that prior to implementing my AmpliFi system. It's not too bad but I only have this additional need for a certain set of machines that are all joined to an Active Directory, which allows me to easily manage this. I'm sure this won't work for you but just sharing a little bit of your pain as I did still have to jump through some hoops & went through quite a bit of trial-and-error before I understood how things worked well enough to get this working (because of AD, I can't go through the AmpliFi as a middleman for DNS - I have to go straight to my AD DNS server).

    Do be aware that with the current setup, if you have an internal DNS on your private network, that DNS will also resolve for your Guest network. I consider this a bug but they obviously have bigger fish to fry.

  • I wouldn't necessarily consider that a bug. Stripping DNS results I do, but regardless, they could do a better job in that regard as well by allowing you to limit the scope of IPs handed out to guests. Then if you were running your own internal system, you could limit the ranges that got DNS from those systems. But alas. I guess it's intended to be an "easy" black box system, but some of these decisions baffle me, in particular without leaving any means to override them. The only reason I'm off of a TP-Link router at this point is it died a year into it's life and I'm sick of cheap and unreliable hardware. Easy to config is nice as well, so I went here. But I'm not changing my network setup to match a router when there is plenty of competition in this space.

    The only way I can see that you would have gotten DNS to work at all would be to go static routes everywhere, or disable DHCP entirely and use an internal DHCP server. I suppose that's one way around's a lot more than I care to do though for a network I'm trying to simplify.

  • Actually, this would explain why there's a lot of weird breakage on services that use external servers to facilitate connections with things inside the network. For example:
    The entire domain is non-functional, forcing me to disable security features like SSL.

  • @andrew-kraut

    Andrew, actually is in our exception list. It was already reported by customers before. Isn't it working for you?

  • @dmitrijs-ivanovs Can I get an answer as to when this might be fixed? I'm still barely a couple of weeks into my ability to return this. I don't intend on keeping it if this is going to be an issue a year down the line.

  • @dmitrijs-ivanovs Can I please get some feedback on an ETA or some information on a workaround? The broken behavior and lack of response isn't giving me warm and fuzzies about my product purchase at this point.

  • Hi @frank-even,

    Bellow is the link to AmpliFi router firmware test build version 2.5.x 2033 with Bypass DNS cache option available in router's Web UI settings. It should solve the issue you are experiencing with stripped DNS responses.

    If you wish to test the feature, please update your router with the firmware file linked bellow using the following address http://amplifi.lan/fwupdate.php

    [link removed]

    Important notes:

    • HW NAT is broken in this version, do not enable!
    • Make sure to reconnect stations after enabling "Bypass DNS cache" in order for them to receive a new DNS servers list via DHCP.
    • http://amplifi.lan might not be accessible after enabling "Bypass DNS cache". Use router's IP to access its Web UI if needed.

  • This post is deleted!

  • @ubnt-karlis I assume you have to be local to the Amplifi - can you update the unit remotely?

  • @frank-even Frank - Please report back on this. This is a big problem for me running public servers on a private network with 1-1 NAT. The Amplifi strips out the private address and no one in-house can access the servers. - (Sorry @UBNT-Karlis )

  • @ubnt-karlis I uploaded the firmware to my Amplifi and I cannot find a setting to "Bypass DNS Cache". Can you elaborate please?? The current fw is 2.5.x 2033-236 and of course it is telling me there is a update.

    Nevermind, I figured it out. I am trying now to get someone from the location where the Amplifi is located to refresh a device and connect so I can test.

  • @hanz-shcaerp OK I was able to test the DNS bypass and it works. It does however still add the router address to the DNS list after my DNS servers but it works fine.

  • @Dennis-Horn, @Scott-Heckenlaible: is the new DNS bypass setting in the test build useful for you?

  • @ubnt-gunars I am having good success with this beta 2.5.x 2033. Not only is my DNS working fine but my speed has increased and seems to be more consistent. I have run speed tests several times from different locations in my house and getting full bandwidth!! I assume this is a newer beta than 2.5.4rc1 however the app is constantly trying to "upgrade" the firmware to 2.5.4rc1. I'm afraid it will get selected accidentally so is there a way to stop the aggressive upgrade insistance?

  • @hanz-shcaerp We'll just update the beta, so you don't have to use this custom build.

  • @ubnt-gunars Thanks!!

  • I don't have this issue in bridge mode, so that is also a workaround.
    In bridge mode it passes all DHCP config from the my DHCP server and thus uses my DNS server.

Log in to reply